CVE-2026-42997
Published: 05 May 2026
Description
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all…
more
OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforces proper authorization rules for any resource or data transfer between different spheres.
Accountability, documentation, and protection requirements ensure correct transfer of media resources between spheres.
Reduces incorrect transfers between spheres by establishing clear, separate domains for different sensitivities or functions.
It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces.
Addresses incorrect transfer of resources to an uncontrolled sphere by requiring approved destruction or sanitization methods.
Security SummaryAI
CVE-2026-42997 affects the iDRAC component in OpenStack Ironic versions before 35.0.1. The vulnerability arises during the import process when a user invoking molds can request that authorization credentials be forwarded to a remote endpoint under their control. These credentials include either a time-limited Keystone token, which grants access to all OpenStack services that Ironic is authorized for, or basic credentials configured for molds storage. The issue is classified under CWE-669 and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
A low-privileged user (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By specifying a malicious remote endpoint during molds import, the attacker receives the sensitive credentials, enabling high confidentiality impact (C:H) in a scoped context (S:C). This could allow the attacker to leverage the Keystone token for unauthorized access across authorized OpenStack services or use the basic credentials for molds storage.
OpenStack Security Advisory OSSA-2026-010 addresses the vulnerability, with fixes released in OpenStack Ironic versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. Security practitioners should upgrade to these versions to mitigate the issue. Further technical details are provided in the oss-security mailing list announcements at the referenced URLs.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables an attacker to force forwarding of Keystone tokens/basic credentials to a remote endpoint (T1528: Steal Application Access Token and T1552: Unsecured Credentials); captured tokens then allow use of valid cloud accounts across OpenStack services (T1078.004).